Classical Cryptography Simulator

X.509 Certificates and Public Key Infrastructure

Comprehensive X.509 certificate structure analysis, chain of trust visualization, and certificate revocation processes.

X.509 Certificate Structure
Five key fields of an X.509 certificate and their roles

Validity Period

critical

Defines the time period during which the certificate is valid

Subject Public Key

critical

Contains the public key of the certificate owner and algorithm information

Signature Algorithm

critical

Specifies the algorithm used to sign the certificate

Certificate Authority

critical

Identifies the CA that issued and signed the certificate

Extensions

important

Additional fields providing extra functionality and constraints

Chain of Trust
How certificates are linked in a hierarchical trust chain
🔐

Root CA

Example Root CA

🔑

Intermediate CA

Example Intermediate CA

🌐

End Entity

example.com

🔐

Root CA: Example Root CA

Self-signed root certificate that anchors the trust chain

Self-signed certificate that serves as the trust anchor
🔑

Intermediate CA: Example Intermediate CA

Issued by Root CA, signs end-entity certificates

Signed by Root CA, signs end-entity certificates
🌐

End Entity: example.com

Server certificate for the actual service

Final certificate used for actual services
Certificate Revocation Process
How certificates are revoked before expiry using Certificate Revocation Lists (CRL)

Certificate Revocation List (CRL) Process

1. Revocation Request: Certificate owner requests revocation
2. CA Verification: CA verifies revocation reason and identity
3. CRL Update: CA adds certificate serial number to CRL
4. CRL Publication: Updated CRL published to public repository
5. Client Check: Clients download and check CRL during validation
6. Rejection: Revoked certificates are rejected even if valid

Revocation Scenarios

Private Key Compromise

The certificate's private key has been exposed, stolen, or otherwise compromised

Server hacked and private key file extracted

high
Certificate Authority Compromise

The CA that issued the certificate has been compromised

CA's private signing key stolen

high
Identity Change

The certificate subject's identity or information has changed

Company name change or domain ownership transfer

medium
Operational Security

Certificate no longer needed or security policy requires revocation

Server decommissioned or security audit findings

medium
Technical Issues

Certificate was issued incorrectly or contains errors

Wrong domain name or organizational information

low
Real-World Usage: TLS/SSL Handshake
How X.509 certificates are used in secure web communication

TLS/SSL Handshake Process

Handshake Steps:
  1. Client connects to server (e.g., https://example.com)
  2. Server presents its X.509 certificate
  3. Client validates certificate chain up to trusted root CA
  4. Client checks certificate validity period and revocation status
  5. Client verifies domain name matches certificate
  6. If valid, client generates symmetric session key
  7. Client encrypts session key with server's public key
  8. Secure encrypted communication established
Security Benefits:
  • Authentication: Server proves its identity
  • Encryption: Communication is encrypted
  • Integrity: Data cannot be tampered with
  • Non-repudiation: Transactions can be traced

Certificate Validation

• Chain of trust verification
• Validity period check
• Domain name matching
• Revocation status check
• Extended key usage validation

Common Applications

• HTTPS web servers
• Email encryption (S/MIME)
• Code signing certificates
• VPN authentication
• Document signing
Key Takeaways
Summary of X.509 certificate concepts

Certificate Structure

• Validity Period ensures time-bound trust
• Subject Public Key enables encryption
• Signature Algorithm provides integrity
• Certificate Authority establishes trust
• Extensions add functionality

Trust & Security

• Chain of trust links certificates to root
• Revocation protects against compromise
• TLS/SSL enables secure communication
• Regular validation maintains security
• Proper management prevents breaches